AWS Member Accounts Onboarding
  • 3 Minutes to read
  • PDF

AWS Member Accounts Onboarding

  • PDF

About this document

This document contains all the information and step-by-step procedure to onboard AWS Member Accounts to SAFE.


SAFE offers rapid onboarding of Cloud AWS Accounts. Now, SAFE Admin can configure the AWS accounts from SAFE Hooks. AWS configuration is available under Administration > SAFE Hooks > Assessment Tools. Upon successful configuration and confirmation, SAFE scans the added AWS accounts and automatically onboards and assesses the assets under Cloud-AWS vertical.


The onboarding and assessment of AWS Member Accounts using the Management Account in AWS are possible using the StackSets feature of CloudFormation in AWS. StackSets will enable the AWS Admin / Delegated Admin to deploy cloud formation stacks in multiple accounts from the Management Account.

Add AWS Member Accounts

To add AWS Member accounts:

Section 1: Steps to be performed on SAFE UI

  1. Navigate to Administration > SAFE Hooks > AWS
  2. Click the Configure button available on the AWS card
  3. Click the Add Account button.
  4. Click the Member Account Tab.
  5. If needed, Set the Expiry by marking the checkbox and selecting a date of expiry.
  6. Click the Generate button to generate the Generate AWS StackSet parameters. The System automatically generates the AWS Onboarding link.
  7. Click the Generated link. The system will redirect you to the AWS console.

Section 2: Steps to be performed on AWS Console

  1. On the AWS console, a page with the title “Choose a template” will open up.
  2. On the Choose a template page”
    1. In Prerequisite - Prepare template section, select the option “Template is Ready”.
    2. In the Specify template section, under the Template source, select Amazon S3 URL.

    3. Copy the Template URL from SAFE and paste it into the Amazon S3 URL field.
    4. Click Next.
  3. In Specify StackSet details:
    1. Specify an appropriate StackSet name and relevant StackSet description in the respective fields.
    2. In Parameters:
      1. Copy the ExternalID from SAFE and paste it in the respective field.
      2. Copy the NotificationTopicArn from SAFE and paste it in the respective field.
      3. Copy the TenantID from SAFE and paste it in the respective field.
      4. Copy the TrustedRoleArn from SAFE and paste it in the respective field.
    3. Click Next.
  4. In Configure StackSet section:
    1. Configure tags, if needed, in Tags.
    2. In Permissions - Choose any one of the 2 types of permissions shown -
      1. (RECOMMENDED) Service-managed permissions - With these permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. You don't need to create the necessary IAM roles; StackSets will create the IAM roles on your behalf. If any new account is added to the Management account in the future, it will get auto-discovered on SAFE, provided Automatic deployment is Enabled in the Set Deployment Target Section.
      2. Self-Managed Permissions - With these permissions, you can deploy stack instances to specific AWS accounts in specific Regions. You must first create the necessary IAM roles to establish a trusted relationship between the account you are administering the StackSet from and the account you are deploying stack instances to.
        If the customer wants "per-account" control (eg: delete the stack in a single account after deployment) on the stack set, they should choose Self-Managed Permissions. With the Service-managed permissions, users can only perform actions (eg: delete) at an OU level. Hence, Self-managed permissions offer more granular control, even though they will require higher maintenance effort than Service managed permissions.
    3. Click Next.
  5. In the Set deployment section:
    1. In Deployment Targets:
      1. Choose one of the 2 options shown:
        1. If you want to deploy stack to all accounts under the Management Account, choose to Deploy to the organization.
        2. If you want to onboard only a subset of your OUs, choose to Deploy to organizational units (OUs).
      2. Choose the appropriate options for Automatic deployment and Account removal behavior.
    2. In Specify regions, select the region as shown in Specified Regions in SAFE.
    3. In Deployment options, specify values for Maximum concurrent accounts and Failure tolerance, if needed. Note: If Failure tolerance is a small value, stack creation failure in that many accounts will cause the entire StackSets deployment to stop.
    4. Click Next.
  6. Review the options and deploy the stack sets by clicking Submit.
  7. Once deployed, StackSets can be viewed from AWS Console > CloudFormation > StackSets
  8. To view individual stacks, click on the StackSet Name > Stack Instances.

If any of the AWS Member accounts were already onboarded individually in SAFE by “creating a Stack using the Quick create-link (from the Assume Role section of Add Account page) and we try to deploy another stack in the same account using StackSets from the Management Account, the stack creation will fail for that AWS  member account where the stack already exists. Admin should delete the individual stack before deploying a StackSet in the OU containing the AWS Member account.

Was this article helpful?